[webkit-changes] [183069] trunk/Source/JavaScriptCore

[commit-queue]

Title: [183069] trunk/Source/_javascript_Core

Revision

183069

Author

commit-qu...@webkit.org

Date

2015-04-21 11:50:16 -0700 (Tue, 21 Apr 2015)

Log Message

REGRESSION (r182899): icloud.com crashes
https://bugs.webkit.org/show_bug.cgi?id=143960

Patch by Basile Clement <basile_clem...@apple.com> on 2015-04-21
Reviewed by Filip Pizlo.

* runtime/JSFunction.h:
(JSC::JSFunction::allocationStructure):
* tests/stress/dfg-rare-data.js: Added.
(F): Regression test

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSFunction.h

Added Paths

• trunk/Source/_javascript_Core/tests/stress/dfg-rare-data.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (183068 => 183069)

--- trunk/Source/_javascript_Core/ChangeLog	2015-04-21 18:01:15 UTC (rev 183068)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-04-21 18:50:16 UTC (rev 183069)
@@ -1,3 +1,15 @@
+2015-04-21  Basile Clement  <basile_clem...@apple.com>
+
+        REGRESSION (r182899): icloud.com crashes
+        https://bugs.webkit.org/show_bug.cgi?id=143960
+
+        Reviewed by Filip Pizlo.
+
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::allocationStructure):
+        * tests/stress/dfg-rare-data.js: Added.
+        (F): Regression test
+
 2015-04-21  Michael Saboff  <msab...@apple.com>
 
         Crash in JSC::Interpreter::execute

Modified: trunk/Source/_javascript_Core/runtime/JSFunction.h (183068 => 183069)

--- trunk/Source/_javascript_Core/runtime/JSFunction.h	2015-04-21 18:01:15 UTC (rev 183068)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.h	2015-04-21 18:50:16 UTC (rev 183069)
@@ -118,7 +118,9 @@
 
     Structure* allocationStructure()
     {
-        ASSERT(m_rareData);
+        if (!m_rareData)
+            return nullptr;
+
         return m_rareData.get()->allocationStructure();
     }
 

Added: trunk/Source/_javascript_Core/tests/stress/dfg-rare-data.js (0 => 183069)

--- trunk/Source/_javascript_Core/tests/stress/dfg-rare-data.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/dfg-rare-data.js	2015-04-21 18:50:16 UTC (rev 183069)
@@ -0,0 +1,9 @@
+function F () { this.inner = 42; };
+
+for (var i = 0; i < 10000; ++i) {
+    var x = new F(false);
+    F.prototype = Object; // Force clearing of the function's rare data
+    var result = x.inner;
+    if (result !== 42)
+        throw "Expected 42, got: " + result;
+}

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes